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Abstract. Some type-based approaches to termination use sized types: an ordinal bound 
for the size of a data structure is stored in its type. A recursive function over a sized type 
is accepted if it is visible in the type system that recursive calls occur just at a smaller 
size. This approach is only sound if the type of the recursive function is admissible, i.e., 
depends on the size index in a certain way. To explore the space of admissible functions in 
the presence of higher-kinded data types and impredicative polymorphism, a semantics is 
developed where sized types are interpreted as functions from ordinals into sets of strongly 
normalizing terms. It is shown that upper semi-continuity of such functions is a sufficient 
semantic criterion for admissibility. To provide a syntactical criterion, a calculus for semi- 
continuous functions is developed. 



Termination of computer programs has received continuous interest in the history of 
computer science, and classical applications are total correctness and termination of par- 
tial evaluation. In languages with a notion of computation on the type-level, such as 
dependently- typed languages or rich typed intermediate languages in compilers [CW99J, 
termination of expressions that compute a type is required for type checking and type sound- 
ness. Further, theorem provers that are based on the Curry-Howard Isomorphism and offer 
a functional programming language to write down proofs usually reject non-terminating pro- 
grams to ensure consistency. Since the pioneering work of Mendler [Men87], termination 
analysis has been combined with typing, with much success for strongly-typed languages 
[HPS961 IACG981 IGim981 IXiOTl IBFG+ 04l IBla04j . The resulting technique, type-based termi- 
nation checking, has several advantages over a purely syntactical termination analysis: (1) It 
is robust w. r. t. small changes of the analyzed program, since it is working on an abstraction 
of the program: its type. So if the reformulation of a program (e.g., by introducing a redex) 
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still can be assigned the same sized type, it automatically passes the termination check. (2) 
In design and justification, type-based termination rests on a technology extensively studied 
for several decades: types. (3) Type-based termination is essentially a refinement of the 
typing rules for recursion and for introduction and elimination of data. This is orthogonal 
to other language constructs, like variants, records, and modules. Thus, a language can be 
easily enriched by such constructs without change to the termination checker. This is not 
true if termination checking is a separate static analysis. Orthogonality has an especially 
pleasing effect: (4) Type-based termination scales to higher- order functions and polymor- 
phism. (5) Last but not least, it effortlessly creates a termination certificate, which is just 
the typing derivation. 

Type-based termination especially plays its strength when combined with higher-order 
datatypes and higher-rank polymorphism, i. e., occurrence of V to the left of an arrow. Let 
us see an example. We consider the type of generalized rose trees G Rose i*A parameterized 
by an element type A and the branching type F. It is given by two constructors: 

leaf : GRose FA 

node : A -> F (GRose FA) -> GRose FA 

Generalized rose trees are either a leaf or a node a fr of a label a of type A and a collection 
of subtrees fr of type F (GRose FA). Instances of generalized rose trees are binary trees 
(FA = A x A), finitely branching trees (FA = List A), or infinitely branching trees (FA = 
Nat — > A). Programming a generic equality function for generalized rose trees that is 
polymorphic in F and A, we will end up with the following equations: 

EqA = A^ A^ Bool 

eqGRose : (VA Eq A -» Eq (FA)) -» VA Eq A -> Eq (GRose FA) 
eqGRose eqF eqA leaf leaf = true 

eqGRose eqF eqA (node a fr) (node a' fr') = (eqA a a') A 

(eqF (eqGRose eqF eqA) fr fr') 

eqGRose eqF eqA __ = false 

The generic equality eqGRose takes two parametric arguments, eqF and eqA. The second 
one is a placeholder for an equality test for type A, the first one lifts an equality test for an 
arbitrary type A to an equality test for the type FA. The equality test for generalized rose 
trees, eqGRose eqF eqA, is then defined by recursion on the next two arguments. In the case 
of two nodes we would expect a recursive call, but instead, the function itself is passed as 
an argument to eqF, one of its own arguments! Nevertheless, eqGRose is a total function, 
provided its arguments are total and well-typed. However, with traditional methods, which 
only take the computational behavior into account, it will be hard to verify termination of 
eqGRose. This is due to the fact that the polymorphic nature of eqF plays a crucial role. It 
is easy to find an instance of eqF of the wrong type which makes the program loop. Take, 
for mstcincc 

eqF : Eq (GRose F Nat) -» Eq (F (GRose F Nat)) 
eqF eqfrfr' = eq (nodeO/r) (nodeO/r') 
A type-based termination criterion however passes eqGRose with ease: Consider the 
indexed type GRose* FA of generalized rose trees whose height is smaller than i. The types 
of the constructors are refined as follows: 

leaf : VFVAW GRose* 4 " 1 FA 

node : VFVA/z. A -> GRose* FA -> GRose* +1 FA 
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When denning eqGRose for trees of height < i + l, we may use eqGRose on trees of height 
< i. Hence, in the clause for two nodes, term eqGRose eqF eqA has type Eq (GRose* FA), 
and eqF (eqGRose eqF eqA) gets type Eq (F (GRose* FA)), by instantiation of the polymor- 
phic type of eqF. Now it is safe to apply the last expression to fr and fr which are in 
F (GRose* FA), since node afr and node a' fr' were assumed to be in GRose* +1 .FA 

In essence, type-based termination is a stricter typing of the fixed-point combinator fix 
which introduces recursion. The unrestricted use, via the typing rule (1), is replaced by a 
rule with a stronger hypothesis (2): 

f:A^A f:yi . A{l) ^ A{i + 1) 

1 ' fix/ :A { ' fix/ : Vn.A(n) 

Soundness of rule (2) can be shown by induction on n. To get started, we need to show 
fix / : A(0) which requires A(i) to be of a special shape, for instance A{i) = GRose* F B — > C 
(this corresponds to Hughes, Pareto, and Sabry's bottom check [HPS96J). Then A(0) denotes 
functions which have to behave well for all arguments in GRose F B, i. e., for no arguments, 
since GRose F B is empty. Trivially, any program fulfills this condition. In the step case, 
we need to show fix / : A(n + 1), but this follows from the equation fix / = / (fix/) since 
/ : A(n) — > A(n + 1), and fix / : A(n) by induction hypothesis. 

In general, the index i in A(%) will be an ordinal number. Ordinals are useful when 
we want to speak of objects of unbounded size, e.g., generalized rose trees of height < lu 
that inhabit the type GRose" FA. Even more, ordinals are required to denote the height of 
infinitely branching trees: take generalized rose trees with FA = Nat — » A. Other examples 
of infinite branching, which come from the area of type-theoretic theorem provers, are the 
W^-type, Brouwer ordinals and the accessibility predicate [PM92J. 

In the presence of ordinal indices, rule (2) has to be proven sound by transfinite in- 
duction. In the case of a limit ordinal A, we have to infer fix/ : A(X) from the induction 
hypothesis fix / : Va < A. A(a). This imposes extra conditions on the shape of a so-called 
admissible type A, which are the object of this article. Of course, a monotone A is triv- 
ially admissible, but many interesting types for recursive functions are not monotone, like 
A(a) = Nat" — ► Nat" — > Nat" (where Nat" contains the natural numbers < a). We will 
show that all those types A(a) are admissible that are upper semi-continuous in a, mean- 
ing limsup a ^ A A(a) C .4(A) for limit ordinals A. Function types C(a) = A(a) — » B(a) 
will be admissible if A is lower semi- continuous (A(X) C lim'mi a -^\A(a)) and B is upper 
semi-continuous. Similar laws will be developed for the other type constructors and put 
into the form of a kinding system for semi-continuous types. 

Before we dive into the mathematics, let us make sure that semi-continuity is relevant for 
termination. A type which is not upper semi-continuous is A(i) = (Nat" — > Nat*) — > Nat" 
(see Sect. [5]). Assuming we can nevertheless use this type for a recursive function, we 
can construct a loop. First, define successor succ : Nat* — > Nat l+1 and predecessor 
pred : Vz. Nat i+1 -> Nat*. Note that the size index is an upper bound and uj is the biggest 
such bound for the case of natural numbers, thus, we have the subtyping relations Nat* < 
Nat l+1 < • • • < Nat" < Nat" +1 < Nat". 
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We make the following definitions: 

A{i) := (Nat" -> Nat 1 ) -» Nat" / : Vi. A(t) -> A(t + 1) 

/ := XloopXg. loop (shift <?) 

shift : Vi. (Nat" -> Nat l+1 ) 

^ Nat" ^ Nat 1 loop : V».A(») 

shift := XgXn. pred (5 (succ re)) loop := fix/ 

Since Nat" — > Nat is empty, A passes the bottom check. Still, instantiating types to 
succ : Nat" -> Nat" and loop : (Nat" -> Nat") -> Nat" we convince ourselves that the 
execution of loop succ indeed runs forever. 



1.1. Related Work and Contribution. Ensuring termination through typing is quite an 
old idea, just think of type systems for the A-calculus like simple types, System F, System 
F", or the Calculus of Constructions, which all have the normalization property. These sys- 
tems have been extended by special recursion operators, like primitive recursion in Godel's 
T, or the recursors generated for inductive definitions in Type Theory (e. g., in Coq). These 
recursion operators preserve normalization but limit the definition of recursive functions to 
special patterns, namely instantiations of the recursion scheme dictated by the recursion 
operator. Taming general recursion fix / through typing, however, which allows the defini- 
tion of recursive functions in the intuitive way known from functional programming, is not 
yet fully explored. Mendler |Men87| pioneered this field; he used a certain polymorphic typ- 
ing of the functional / to obtain primitive (co)recursive functions over arbitrary datatypes. 
Amadio and Coupet-Grimal [ACG98J and Gimenez [Gim98| developed Mendler's approach 
further, until a presentation using ordinal-indexed (co)inductive types was found and proven 
sound by Barthe et al. |BFG + 04~] . The system X* presented in loc. cit. restricts types A(i) 
of recursive functions to the shape fj, l F — > C(i) where the domain must be an inductive 
type fj}F indexed by % and the codomain a type C{%) that is monotonic in 1. This criterion, 
which has also been described by the author [Abe04] . allows for a simple soundness proof in 
the limit case of the transfinite induction, but excludes interesting types like the considered 

Eq (GRose 1 FA) = GRose* FA -> GRose' FA -> Bool 

which has an antitonic codomain C{i) = GRose* FA — > Bool. The author has in previous 
work widened the criterion, but only for a type system without polymorphism [Abe03j . 
Other recent works on type-based termination [Bla04 , Bla05 , BGP05] stick to the restriction 
of X". Xi [XiOl] uses dependent types and lexicographic measures to ensure termination of 
recursive programs in a call-by-value language, but his indices are natural numbers instead 
of ordinals; this excludes infinite objects we are interested in. 

Closest to the present work is the sized type system of Hughes, Pareto, and Sabry 
[HPS96J, Synchronous Haskell [ParOO], which admits ordinal indices up to u. Index quan- 
tifiers as in A(i) range over natural numbers, but can be instantiated to oj if A(i) is 
lj -undershooting. Sound semantic criteria for w-undershooting types are already present, 
but in a somewhat ad-hoc manner. We cast these criteria in the established mathematical 
framework of semi-continuous functions and provide a syntactical implementation in form 
of a derivation system. Furthermore, we allow ordinals beyond lo and infinitely branching 
inductive types that invalidate some criteria for the only finitely branching tree types in 
Synchronous Haskell. Finally, we allow polymorphic recursion, impredicative polymorphism 
and higher-kinded inductive and coinductive types such as GRose. This article summarizes 
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the main results of the author's dissertation [Abc06b'J. A shorter version has appeared in 
the CSL'06 proceedings |Abe06c] . 

1.2. Contents. In Section [2] we introduce the syntax of FJ, our A-calculus with higher- 
kinded polymorphism, recursion over higher-kinded inductive types and corecursion into 
higher-kinded coinductive types. Static semantics (i. e., typing rules) and dynamic semantics 
(i.e., reduction rules) are presented there, and we formally express the eqG Rose-example 
from the introduction in FJ*. In Section [3] we model the types of F^7 as saturated sets of 
strongly normalizing terms in order to show termination of well-typed programs. After 
these two technical sections we come to the main part of this article: In Section 0] we 
identify compositional criteria for semi-continuous types and in Section [5] we justify the 
absence of certain composition schemes by giving counterexamples. These results are put 
in the form of a calculus for semi-continuous types in Section culminating in syntactic 
rules for admissible (co)recursion types. We close by giving some practical examples for 
admissible types. 

1.3. Preliminaries. We assume that the reader is to some extent acquainted with the 
higher-order polymorphic lambda-calculus, System F^ (see Pierce's text book |Pie02| ) and 
has some knowledge of ordinals, inductive types, and strong normalization. 

2. Overview of System F^ 

In this section we introduce F^, an a posteriori strongly normalizing extension of Sys- 
tem F u with higher-kinded inductive and coinductive types and (co)recursion combinators. 
Figure [1] summarizes the syntactic entities. 

2.1. Type constructors. We seek to model sized types like GRose* -F^4 whose first pa- 
rameter F is a type constructor of kind * — > *, meaning that it maps types to types. It 
is therefore suggestive to take F w as basis, which formalizes type constructors of arbitrary 
kind and, e.g., lays the foundation for the purely functional language Haskell. In the in- 
troduction, we have presented GRoses as built from two (data) constructors leaf and node; 
however, for a theoretic analysis it is more convenient to consider GRosei 7 ^ as the least 
fixed-point of the type constructor XX. 1 + (A X FX). For this we write 

GRose FA := /j,XX. 1 + (Ax FX). 

Herein, 1 is the unit type and + the disjoint sum. Taking the empty tuple () : 1 to be the 
inhabitant of the unit type and inl : A — > (A + B) and inr : B — > (A + B) the two injections 
into the disjoint sum lets us define the original data constructors: 

leaf : GRose FA 

leaf := in (inl <» 

node : A -> F (GRose FA) -> GRose FA 

node := \a\fr. in (inr (a,fr)) 

(The tag in introduces a inductive type, see below.) 
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Polarities, kinds, constructors, kinding contexts. 

+ | - | o 
* | ord | pK — > k' 
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a, b, A, B, F, G 
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C | X | XX : k. F | F G 

1 | + | x | -> | V K | /x K J f K J s | oc 

o | A, 
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polarity 
kind 

pure kind 
(type) constructor 
constructor constants 
kinding context 



Constructor constants and their kinds (k — > /«' means — > At'). 
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unit type 
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+ 
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+ 

* — ► * 




disjoint sum 


X 








cartesian product 




* — > 


* i * 




function space 


v K 
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X + 
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quantification 




ord - 


■h / + \ 




inductive constructors 




ord - 


- / + \ 




coinductive constructors 


s 


ord - 


i ord 




successor of ordinal 


oo 


ord 






infinity ordinal 



Objects (terms), values, evaluation frames, typing contexts. 

r, s, t ::= c | x \ Xxt \ r s 

c ::= () | pair | fst | snd | inl | inr | case | in | out | fix^ | fix^ 

v ::= Xxt | pair ii *2 | inl t | inr t | int | c | pair t | fix^sii.. m 

e(_) ::= _s | fst _ | snd _ | case _ | out _ | fix^ s t\,_ n _ 

E(_) ::= ei (...e n (_)...) 

T ::= o | T,x:A \ T,X:pK 

Reduction t — ► t' . 



(Xxt) s 
fst (r, s) 
snd (r, s) 
case (inl r) 
case(inrr) - 

(*) x,^FV(r) 



[s/x]t 



XxXy.xr (*) 
XxXy.yr (*) 



out (in r) 
fix^s ii..„ (in t) 
out (fix^sti..„) 



term 

constant (n € N) 
value (m < n) 
evaluation frame 
evaluation context (n > 0) 
typing context 



s (fix^ s) (in t) 
out (s (fix£ s) ti.. n ) 



+ closure under all term constructs 



Figure 1: FJ": Syntax and operational semantics. 
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2.2. Polarized kinds. Negative recursive types such as fiAX. X — > 1 allow the coding of 
Y and other fixed-point combinators as pure A-terms, so one can write recursive programs 
without special syntax for recursion [Men87]. For our purposes, this is counter-productive — 
type systems for termination need to identify all uses of recursion. Therefore, we restrict 
to positive recursive types [iH where H is monotone. In the case of GRose, the underlying 
constructor H X = 1 + {A x FX) must be monotone, which is the case if F is monotone. 
So GRoseFyl is only well- formed for monotone F. To distinguish type constructors by 
their monotonicity behavior, also called variance, we equip function kinds with polarities p 
[Ste98], which are written before the domain or on top of the arrow. Polarity + denotes co- 
variant constructors, — contravariant constructors and o mixed- variant constructors [DC99J. 
For instance: 



AX X -> 1 


: * — > * 


AX X -> X 


o 

: * — > * 


XX. lnt-> (1 + X) 


+ 

: * — > * 


GRose 


: (* — > *) — > * — > * 



Abel [Abe06a| and Matthes [AM04] provide more explanation on polarities. 

2.3. Sized inductive types. We refine inductive types fiF to sized inductive types [i a F . 
The first argument, a, to which we usually write as superscript, denotes the upper 
bound for the height of data represented by terms of the inductive type. The index a is a 
constructor of kind ord and denotes an ordinal; the relevant ordinal expressions are given 
by the grammar 

a ::= i | s a | oo 

with i an ordinal variable^ If a actually denotes a finite ordinal (a natural number), then the 
height is simply the number of data constructors on the longest path in the tree structure 
of any element of fi a F. Since a is only an upper bound, fi a F is a subtype of [M b F, written 
[i a F < fi b F for a < b, meaning that /x is covariant in the index argument. Finally, F < F' 
implies [i a F < ^ a F' , so we get the kinding 

/i : ord i (* -i *) — > * 
for the least fixed-point constructor. For the closure ordinal oo, we have 

H^F = /i°° +1 F, 

where oo + 1 is a shorthand for soo, s : ord — > ord being the successor on ordinals. 

Because oo denotes the closure ordinal, the axiom soo = oo is justified. Equality on 
type constructors is defined as the least congruent equivalence relation closed under this 
equation and /3rf. 

At this point, let us stress that the syntax of ordinals is extremely simple, hence, 
equality of types and subtyping is decidable. The user can think of ordinals as of natural 
numbers with infinity, although they will be interpreted as real ordinals up to a fairly large 
closure ordinal in Section [3l 

^One could add a constant for the ordinal 0, but for our purposes it is enough that each concrete data 
structure inhabits ^t°° F. For checking termination relative sizes are sufficient, which can be expressed using 
ordinal variables and successor. 
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Example 2.1 (Some sized types). 

Nat : ord -i * GRose : ord — > (* i *) * — > * 

Nat := A*. /i ! AXl + I GRose := XiXFXA. //AX. 1 + Ax F X 

List : ord i * i * Tree : ord — > * — > * i * 

List := AtAA. //AX. 1 + A x X Tree := XiXBXA. GRose 4 (AX. B -> X) A 



2.4. Sized coinductive types. Dually to inductive or least fixed-point types fiF we have 
coinductive or greatest fixed-point types uF to model infinite structures. For instance 
Streamy! = uX. A x X contains the infinite sequences over A. The dual to the height of an 
inductive data structure is the depth of a coinductive one, i.e., how often one can unwind 
the structure. So the size a of a sized coinductive type v a F is a lower bound on the depth 
of its inhabitants. Since it is a lower bound, coinductive types are contravariant in their 
size index: 

v : ord — > (* i *) -i *. 
As for inductive types, the equation v°°F = v°° +l F holds. 

Example 2.2 (Sized streams). On a stream in Stream'M one can safely read off the first a 
elements. 

Stream : ord — > * i * 
Stream := XiXA. v l XX. A x X 



2.5. Heterogeneous datatypes. If we consider not only fixed-point types, but also fixed- 
point constructors, we can treat programs involving so-called nested or heterogeneous types. 
A simple example of a heterogeneous type is the type of powerlists PList A which contains 
lists of As whose length is a power of two [HinOOa] . The type constructor PList : * — > * can 
be modeled as fiXXXA. A + X (A x A) which is the least fixed-point of a type constructor 

of kind (* — > *) — > (* — > *). 

Sized heterogeneous types are obtained by simply generalizing /i and v to 

fi K : ord i (k i k) i /t 

v K : ord — ► (k — > k) i k. 

The kind k is required to be pure, i. e., a kind not mentioning ord, for reasons explained in 
Section 13.41 All our examples work for pure k. 

Example 2.3 (Sized heterogeneous types). 

PList : ord — > * — » * 

PList := A*. m'AXAA. A + X (A x A) 

Bush : ord -i * — > * 

Bush := A*. yu'AXAAl + A x 

Lam : ord i * -i * 

Lam := A*. yu l AXAA A + X A x X A + X (1 + A) 
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The second type, Bush a ^4, bushy lists, models finite maps from unlabeled binary trees of 
height < a into A [AltOlj IHinOOb] . The third type, Lam a A, is inhabited by de Bruijn 
representations of untyped lambda terms of height < a with free variables in A [BP99, 
IAR99] . 

2.6. Programs. The term language of is the A-calculus plus the standard constants 
to introduce and eliminate unit (1), sum (+), and product (x) types. We write (ii , *2) 
for pair £i Further, there is folding, in, and unfolding, out, of (co)inductive types. The 
complete listing of the typing rules can be found in Figure [6] in the appendix, here we discuss 
the most important ones. Let k = pH — ► * a pure kind, F : +k — > k, Gi : Ki for 1 < i < 
a : ord, and V € {/i, z/}, then we have the following (un)folding rules: 

r h t : F (V? F) G r h r : V K a+1 F G 

TY-FOLD , _ TY-UNFOLD 

r h\nt:VZ +1 FG r h outr : F(V%F)G 

Finally, there are fixed-point combinators fix^ and fix^ for each n S N on the term level. 
The term fix^ s denotes a recursive function with n leading non-recursive arguments; the 
n + 1st argument must be of an inductive type. Similarly, fix^ s is a corecursive function 
which takes n arguments and produces an inhabitant of a coinductive type. We abbreviate 
fti ... t n by fti„ n or ft 

One-step reduction t — > t' is defined by the /3-reduction axioms given in Figure [Q 
plus congruence rules. Its transitive closure is denoted by — > + , and — >* is the reflexive- 
transitive closure. Interesting are the reduction rules for recursion and corecursion: 

fi< s h., n (in t) — > s(f\x%s)ti.. n (in t) 
out (fix^ s — > out (s (f ix^ s) 

A recursive function is only unfolded if its recursive argument is a value, i.e., of the form 
int. This condition is required to ensure strong normalization; it is present in the work 
of Mendler [Men87j . Gimenez |Gim98| . Barthe et al. jBFG+04] . and the author [Abe04j . 
Dually, corecursive functions are only unfolded on demand, i.e., in an evaluation context, 
the matching one being out _. 



p < p' polarity ordering 

A h F : k kinding 

A h F = F' : k constructor equality 

A h F < F' : k higher-order subtyping 

t — > t' reduction 

r h t : A typing 

r h A fix^-adm admissible recursion type 



Figure 2: FJ": Judgements. 
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Figure [2] lists the basic judgements of F£, their rules can be found in the appendix. As 
pointed out in the introduction, recursion is introduced by the rule 

r h A fixY-adm r h a : ord 

TY-REC = . 

T h fb% : (Vi-.ord.Ai -> A{i + 1)) -> Aa 

Herein, V stands for /i or u, and the judgement A fix^-adm (see Def. I6.3|) ensures that type 
A is admissible for (co)recursion, as discussed in the introduction. In this article, we will 
find out which types are admissible. 

Example 2.4. Now we can code the example from the introduction in FQ, with a suitable 
coding of true, false and A. 

eqGRose : (VA Eq A -> Eq (FA)) -» VA Eq A -> Vi. Eq (GRose l FA) 
eqGRose := XeqFXeqA. 

fixQ \eq\ti\t2- case (out ii) 

(A_. case (out £2) (A_. true) (Ari2- false)) 
(Ani. case (out £2) (A- false) 
(An 2 . (egA (fstni) (fstra 2 )) A 

(eqF eq (snd rii) (snd 112)))) 

Typing succeeds, by the following assignment of types to variables: 



eqF 
eqA 
eq 



VA Eq A — > Eq (FA) t 1: t 2 
EqA 

Eq (G Rose 1 .FA) ni,n 2 



GRose l+1 FA 
1 

A x F (G Rose* FA) 



More examples, including programs over heterogeneous types, can be found in the 
author's thesis |Abe06bj . 



3. Semantics 

Hughes, Pareto, and Sabry [HPS96J give a domain-theoretic semantics of sized types. 
We, however, follow Barthe et al. [B FG + 04] and interpret types as sets of terminating open 
expressions and show that any reduction sequence starting with a well-typed expression 
converges to a normal form. This is more than showing termination of programs (closed 
expressions); our results can be applied to partial evaluation and testing term equality in 
type-theoretic proof assistants. 

The material in this section is quite technical, but provides the necessary basis for our 
considerations in the following sections. The reader may browse it, take a closer look at 
the interpretation of types (Sec. I3.5j) and then continue with Section EJ coming back when 
necessary. 

Let 5 denote the set of strongly normalizing terms. We interpret a type A as a semantic 
type [A] C S, and the function space is defined extensionally: 

\A -» B\ = {r I r s G {Bj for all s 6 [A]}. 

As main theorem, we show that given a well-typed term x% : A\, . . . x n : A n h t : C and 
replacements Sj £ [A] for each occurring variable Xj, the substitution [s/x]t inhabits [C]. 
The proof proceeds by induction on the typing derivation, and in the A-case (here simplified) 

x : A h t : B 
h Xxt : A -> B 
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it suffices to show (Xxt) s G {B} for any s G {A}. However, by induction hypothesis we 
know only [s/x\t G [£?]. We therefore require semantic types to be closed under weak head 
expansion to make this case go through. 

Since we are interested in normalization of open terms, we need to set aforementioned 
replacements si to variables X{. This is possible if each semantic type contains all variables, 
which has to be generalized to all neutral terms, i.e. terms E[x] with a variable in evaluation 
position. These observations motivate our definition of semantic types. 



3.1. Semantic types. We define safe (weak head) reduction t> by the following axioms. 
The idea is that semantic types are closed under [>-expansion. 

(Xxt) s > [s/x]t if s G S case(inlr) > XxXy.xr (*) 

fst(pairrs) t> r if s G S case(inrr) > XxXy.yr (*) 

snd(pairrs) > s if r G S fix^s t\„ n (in r) > s (fix^s) t\„ n (in r) 

out (in r) Or out (fix^s £i.. n ) > out (s (fix^s) £i.. n ) 

Side condition (*): x,y G" FV(r). Additionally, we close safe reduction under evaluation 
contexts and transitivity: 

E(t) > £(£') if £ > £' 

£1 > £3 if t\ D> £2 and £2 > £3 

One-step safe reduction is deterministic, hence, if r > s and r > £ then either s = £ or s > t 
or £ > s. 

V := {i^-E^x) I v value, E evaluation context} 

is the set of O-normal forms, not counting junk terms like fst (Xxt). 

The relation is defined such that S is closed under >-expansion, meaning £ > t! G S 
implies £ G S. In other words, \> used in the expansion direction does not introduce diverging 
terms. Let denote the closure of term set A under >-expansion. In general, the closure 
of term set A is defined as 

A = > (A U {E(x) I x variable, E(x) G S}). 

Closure preserves strong normalization: If A C S then A C S. A term set is closed if 
„4 = A The least closed set is the set of neutral terms M := 7^ 0. Intuitively, a neutral 
term never reduces to a value, it necessarily has a free variable, and it can be substituted 
into any term without creating a new redex. A term set A is saturated if A is closed and 
C i C 5 (this makes sure that A contains all variables). A saturated set is called a 
semantic type. 



3.2. Interpretation of kinds. When types are interpreted as sets of terms, the easiest 
interpretation of type constructors are set-theoretical operators on term sets, or as we go 
higher-order, on operators. 

The saturated sets form a complete lattice J*] with least element _L* := M and greatest 
element T* := S. It is ordered by inclusion C* := C and has set-theoretic infimum inf* := f] 
and supremum sup* := [J. Let Jord] := where = [0; T ord ] is an initial segment of 
the set-theoretic ordinals. With the usual ordering on ordinals, constitutes a complete 
lattice as well. For lattices £ and £', let £ -i £J denote the space of monotone functions 
from £ to £' and £ — > £' the space of antitone ones. The mixed-variant function kind 
|{ok — > k'J is interpreted as set-theoretic function space [re] — >• [re']; the covariant function 
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kind +k — ► k' denotes the monotonic function space [/c] — > [«/] and the contravariant 
kind —k^k' the antitonic space [«] — > [k'J. For all function kinds, ordering is defined 
pointwise: T p> K ^ K ' T' :<^=> Q K ' T'{Q) for all Q G [/e]. Similarly, A_P K ^ K '(g) ■= ±«' 

is defined pointwise, and so are T pK ^ K , inf pK ~ >K , and sup pK ^' K . 

3.3. Limits and iteration. Inductive types |/i a .F] are constructed by iterating the oper- 
ator \F} [afl-times, starting with the least semantic type _L. At limit ordinals, we take the 
supremum. If JaJ is big enough, latest if [a] = T ord , the least fixed-point is reached, but 
our type system also provides notation for the approximation stages below the fixed-point. 
For coinductive types, we start with the biggest semantic type T and take the infimum at 
limits. It is possible to unify these two forms of iteration, by taking the limsup instead of 
infimum or supremum at the limits. The notion of limsup and iteration can be defined for 
arbitrary lattices: 

In the following A £ will denote a limit ordinal. (We will only consider proper limits, 
i. e., A ^ 0.) For £ a complete lattice and / € — > £ we define: 

liminf a ^ A /(a) := sup QO<A inf ao 

<Q<A /(«) 

lim sup a _ >A f(a) := inf ao<A sup a() < Q<A f(a) 

Using inf A / as shorthand for inf a<A /(a), and analogous shorthands for sup, liminf, and 
limsup, we have inf A / C lim inf \f C limsup A / C sup A /. If / is monotone, then even 
lim inf A / = sup A /, and if / is antitone, then inf A / = limsup A /. 

If / € £ — > £ and g € £, we define transfinite iteration f a (g) by recursion on a as 
follows: 

f° (9) := 9 

f a+1 (g) ■= f(f a (g)) 

f x (g) := limsup a ^ x f a (g) 
This definition of iteration works for any /, not just monotone ones. For monotone /, 
we obtain the usual approximants of least and greatest fixed-points as n a f = f a (-\-) and 
1/01 f = / a (T): It is easy to check that fi x f = sup Q<A fi a f and u x f = inf a<A u a f, so our 
definition coincides with the usual one. 

3.4. Closure ordinal. We can calculate an upper bound for the ordinal T ord at which all 
fixed-points are reached as follows: Let D n be a sequence of cardinals defined by Do = |N| 
and D n+ i = 1^(^)1- For a pure kind n, let \k\ be the number of *s in k. Since [*] consists 
of countable sets, < \V(N)\ = Di, and by induction on n, \{k}\ < D| K | +1 . Since an 
(ascending or descending) chain in {n} is shorter than each fixed point is reached 
latest at the |[/c]|th iteration. Hence, the closure ordinal for all (co)inductive types can be 
approximated from above by T ord = H w . 

This calculation does not work if we allow fixed-points of constructors involving ord. 
Then the closure ordinal of such a fixed-point would depend on which ordinals are in the 
semantics of ord, which in turn would depend on what the closure ordinal for all fixed-points 
was — a vicious cycle. However, I do not see a practical example where one want to construct 
the fixed point of a sized- type transformer F : (ord A/c)i (ord A k). Note that this does 
not exclude fixed-points inside fixed-points, such as 

BTree^ A = //AX 1 + X x (^XY. 1 + 4x1x7), 
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"B-trees" of height < i with each node containing < j keys of type A. 

Example 3.1 (Number classes). Here we show that higher-kinded strictly-positive induc- 
tive types may require strictly higher closure ordinals than strictly-positive inductive types 
of kind *. Following Hancock [Han02], we can define the number classes as inductive types 
as follows: 



NC 
NCi 
NC 2 
NC 3 



3 AX 1 

3 AX 1 + (NC 
3 AX 1 + (NC 
3 AX 1 + (NC 



X) 

X) + (NCi 
X) + (NCi 



^ 1 
Nat 00 

X) ^ /i°°AX 1 +X + (Nat c 



X) 



The second number class NC2 is also known as Brouwer ordinals. The law behind this 
scheme is: NC n = fJ,°°F n , where F X = 1 and F n+1 X = F n X + (n°°F n -» X). Each 
number class requires a higher closure ordinal, and their limit is the closure ordinal of all 
strictly-positive inductive types of kind *. Now let 



NumCITree : ord — > (* — > *) — > * 

NumCITree := Xi. ^XYXF. 1 + -» Y (AX F X + (n°°F -> X))). 

Then NumCITree 00 (AX 1) is the type of trees branching over the nth number class at the 
nth level. This example suggests that the closure ordinal of certain strictly positive inductive 
types of kind (* — > *) —> * is above the one of the strictly-positive inductive types of kind *. 
However, the situation is unclear for non-strictly positive inductive types. 



3.5. Interpretation of types. For r a term, e an evaluation frame, and A a term set, 
let r • A = {r s \ s G ^4} and e~ 1 A = {r \ e(r) G .A}. If e is strongly normalizing and 
A saturated, then e~ l A is again saturated. For saturated sets A,BE [*] we define the 
following saturated sets: 

A\±\B := W~AuW^B Q] := {Q} 

A\x\B := (fst_)-Un(snd_)-iB A* := ir7~4 

A\H\B := n s6 ^(-s) _1 ^ A v := (out_)"M 

The last two notations are lifted pointwise to operators T G \pn — > k'J by setting J 7 ^ (Q) = 
{F{G)) V , where V G 

Remark 3.2. Our definition of product and function space (inspired by Vouillon [Vou04]) 
makes it immediate that [x] and F£D operate on saturated sets. But it is just a reformulation 
of the usual A [x] B = {r \ fst r G A and snd r G £>} and A —> B = {r \ r s G B for all s G 
A}. 

Notice that the finitary or (in the logical sense) positive connectives 1, +, and u are 
defined via introductions, while the infinitary or negative connectives — > and v are defined 
via eliminations. (The binary product x fits in either category.) 
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For a constructor constant C 

M(abg[*]) 
HM,B€[*]) 

H(«)(^M 
H(«)(^W 
IVJ(feW-H) 



M) 
M) 



/c, the semantics [C] € [k] is denned as follows: 



A\±\I3 [11 := ffl 

^0-8 [oo] := T ord 

H(T ord ) := T ord 

fi a T^ [s](a<T ord ) := a + 1 

v a T v 

This semantics is extended to arbitrary constructors in the usual way. Let U = UkM- For 
a valuation 9 which partially maps constructor variables X to their interpretation Q G U, 
we define the partial map \—\q from constructors F to their interpretation in U by recursion 



on F. 



{Cje 



= [CI 

= 0(X) 

= {FHlGh 



IXX-.K.Fje 



r T if T G \k\ [«'] for some k' 
I undef. else 
where ^ € [«]) := [F] 0[ x^6] 
In the last clause, J 7 is a partial function from [ft] to U. 

The interpretation [-F|# is well-defined for well-kinded F, and these are the only con- 
structors we are interested in, but we chose to give a (possibly undefined) meaning to all 
constructors. If one restricts the interpretation to well-kinded constructors, one has to de- 
fine it by recursion on kinding derivation and show coherence: If a constructor has two 
kinding derivations ending in the same kind, then the two interpretations coincide. This 
alternative requires a bit more work than our choice. 

Lemma 3.3 (Basic properties of interpretation). 

(1) Relevance: If 9(X) = 6'(X) for all X G FV{F), then {F} g = [Fjp. 

(2) Substitution: {[G/X]F\ e = lF} 0[x „ lGie] . 

Proof. Each by induction on F. For (2), consider case F = XY : k. F' . W. 1. o. g., Y G" FV(G). 
By induction hypothesis, 

•^Cft) : = l[G/X]F} [ Y „H} = l F ie[Y»H}[X»lG} elY „ H] ] = l F }6[X^lGle][Y^n], 

using (1) on G. Hence, {[G/X] (XY : «. F)jg = [XY : «. F] e[x „ lGll>] . □ 

Although the substitution property holds even for ill-kinded constructors, we only have 
for well-kinded constructors that l(XX : k. F) G\q = [[G/X]Fjg. In general, the left hand 
side is less defined than the right hand side, e.g., [(AX : *. 1) oojg is undefined, whereas 
the interpretation [l]g of its /3-reduct is well-defined. In the following we show that for 
well-kinded constructors the interpretation is well-defined and invariant under (5. 

Theorem 3.4 (Soundness of kinding, equality, and subtyping for constructors). Let 9 C 
9' G [A], meaning that for all (X : pd) & A it holds that Q := 6{X) G \k'\ and Q' := 

9\x)e{K'\, andg = g' if P = o,g\zg' if p = +, andg 1 \zg if P = ~. 

(1) If A h F : k then {Fjg C [F] e , G [«]. 

(2) If A h F = F' : « tfien [F] e C [ F ']] e , G 
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(3) // A h F < F' : « then {F\ e C {F'\ e , G [«J. 

Proof. Simultaneously by induction on the derivation. □ 

Now we can compute the semantics of types, e. g., ][Nat l ]]( ik ^ Q ) = Nat a = ji a (X t— » ([1] [+] 
A)^). Similarly, the semantic versions of List, Stream, etc. are denoted by £is£, Stream, etc. 

3.6. Semantic admissibility and strong normalization. For the main theorem to fol- 
low, we assume semantic soundness of our yet to be defined syntactical criterion of admis- 
sibility (Def.ESJ). 

Assumption 3.5 (Semantic admissibility). If T h A fix^-adm and 9{X) E [«] for all 
(X :k) G [rj then A := [AJfl G [ord] — > [*] aas tae following properties: 

(1) Shape: A(a) = f] keK Bi(k,a) . . .\^}B n (k,a) \^\B(k,a) for some K and some 
Bi,...,B n ,BeKx [ord] -> [*]. 7n case V = /i, B(fe,a) = l(k,a.y \E>}C(k,a) for 
some X,C. Otherwise, B(k, a) = C(&, a) 1 ' /or some C. 

(2) Bottom-check: l(k,0)' 1 = _L* in case V = fi and C(k,0) u = T* in case V = v. 

(3) Limit-check: inf a< _\^4(a) C A(X) for all limit ordinals A G [ordj \ {0}. 

In case of recursion (V = fj,), the condition ([1]) ensures that fix^s really produces a 
function whose n + lst argument is of something that looks like an inductive type (F(k, ot)^). 
The function can be polymorphic, therefore the intersection f] k&K over an index set K. 
Condition ([2]) requires X to exhibit at least for a = the behavior of an inductive type: 
I(k, 0)^ = _L*, which is equivalent to 1{k, 0) = 0. The technical condition ([3]) is used in the 
following theorem and will occupy our attention for the remainder of this article. In case 
of corecursion (V = v), condition (pQ) ensures that fix^s maps n arguments into something 
like a coinductive type (C(k, a) v ), which needs to cover the whole universe T* of terms for 
a = 0. 

Now we show soundness of our typing rules, which entails strong normalization. Let t9 
denote the simultaneous substitution of 0{x) for each x G FV(t) in t. 

Theorem 3.6 (Soundness of typing). Assume that the judgement T h A fix^-adm is sound, 
as stated above. Let 6(X) G [re] for all (X:k) G T and 6(x) G \A\ e for all (x : A) G T. If 
r h t : B then td G \B\ e . 

Proof. By induction on the typing derivation. We consider the recursion rule (ty-rec for 

v = M ). 

r h A fix^-adm V h a : ord 
r hfix£ : (Vz:ord.Az^ A(z + 1)) -» Aa 
By hypothesis, .4 := \A\q G [ord] — > [*] is admissible, and a := [ajg G [[ord]]. Assume an 
s G [V? : ord. Ai -» A (» + C f| ((3 <T^ ^(Z 3 ) Q -4(/? + 1). We show fix£ s G A(a) by 
transfinite induction on a. 

In the base case a = 0, by Assumption 13.51 we have -4.(0) = C\keK Bi.-n(k, 0) EE3 -L* EE3 
C(A;,0). We assume fc G A , t{ G Sj(fc, 0), then e(r) := fix^sii.. n r is a strongly normalizing 
evaluation frame. Since each r G _L* = M is neutral, we have e(r) G C C(/c, 0). 

In the step case, A(a + 1) = DfceR: B i..n{k, a + 1) F>1 J(fc,a + I)** ED C(fc,a + 1). 
We assume A; G A, U G Bi(k,a + 1), and r G l(k,a + l)' 4 , which means that either r is 
neutral — then we continue as in the previous case — or r > in r'. Now fix^ s t r[>fix^ s i (in r') [> 
s (fix^ s) t (in r'). The last term inhabits C(k,a + 1), since fix^ s G A(a) by induction hy- 
pothesis and therefore s (fix^ s) G A(a + 1). 
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Finally, in the limit case, fix^ s € -4(a) for all a < A by induction hypothesis. Since 
P\a<\ -4(a) = i ni a<A -4(a) Q -4(A) by Assumption 13.51 we are done. □ 

Corollary 3.7 (Strong normalization). IfT h t : B then t is strongly normalizing. 

Proof. From soundness of typing, taking a valuation 9 with 9(x) = x for all term variables 
x and 9{X) = T K for all (X: P k) G T. □ 



4. Semi-Continuity 

As motivated in the introduction, only types C € [ordj — > [*] which satisfy the limit- 
check inf^C C C(A) can be admissible for recursion. In this section, we develop a composi- 
tional criterion for admissible types. The limit-check itself is not compositional since it does 
not sensibly distribute over function spaces: To show m£ a< \(A(a) ED £>(°0) E -4(A) ED 
£>(A) from inf \ B C B(X) requires -4(A) C inf \ A, which is not even true for A(a) = J\fat a at 
limit to. However, the criterion limsup^C C C(A) entails the limit-check, and it distributes 
reasonably over the function space: 

Proposition 4.1. //-4(A) C liminfA-4 and limsup^/B C ^(A) then limsup /)i (^4(a) ED 
6(a))Ei(A)BB(A). 

This proposition will reappear (and be proven) as Cor. 14.81 Note that Mat^ = liminf^ Mat, 
hence, A(a) = Mat a can now serve as the domain of an admissible function space, which is 
the least we expect. 

The conditions on A and B in the lemma are established mathematical terms: They 
are subconcepts of continuity. In this article, we consider only functions / € — > £ 
from ordinals into some lattice £. For such /, the question whether / is continuous in 
point a only makes sense if a is a limit ordinal, because only then there are infinite non- 
stationary sequences which converge to a; and since every strictly decreasing sequence is 
finite on ordinals (well-foundedness!), it only makes sense to look at ascending sequences, 
i. e., approaching the limit from the left. Hence, function / is upper semi- continuous in A, if 
limsup A / C /(A), and lower semi- continuous, if /(A) C liminf^ /. If / is both upper and 
lower semi-continuous in A, then it is continuous in A (then upper and lower limit coincide 
with /(A)). 

In the following we identify sufficient criteria for sum, product, function, inductive, and 
coinductive types to be semi-continuous. 

4.1. Semi-continuity from monotonicity. 

Obviously, any monotone function is upper semi-continuous, and any antitone function 
is lower semi-continuous. Now consider a monotone / with /(A) = sup^ /, as it is the case 
for an inductive type /(a) = fi a J- (where T does not depend on a). Since for monotone /, 
su Pa / = liminf \ /, / is lower semi-continuous. This criterion can be used with Prop. EJ] to 
show upper semi-continuity of function types with inductive domain, such as Eq(GRose l FA) 
(see introduction) and, e.g., 

C{a) = Mat a ED Cist a (A) ED C'(a) 

where C'(a) is any monotonic type- valued function, for instance, jCist a (Mat a ), and A is some 
constant type: The domain types, Mat a and Cist a (A), are lower semi-continuous according 
the just established criterion and the monotonic codomain C'(a) is upper semi-continuous, 
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hence, Prop. 14.11 proves upper semi-continuity of C. Note that this criterion fails us if we 
replace the domain £ist a (A) by £ist a (Mat a ), or even ^(^(Mat )) for some monotone J 7 , 
since it is not immediately obvious that 

/jf^AfatP)) = sup fi a (T(swpMat^)) = sup/x^A^ 7 ))- 

However, domain types where one indexed inductive type is inside another inductive type 
are useful in practice, see Example 16.61 Before we consider lower semi-continuity of such 
types, let us consider the dual case. 

For /(a) = v a T ', T not dependent on a, f is antitone and /(A) := limsup A / = inf A /, 
hence, / is continuous in all limits. This establishes upper semi-continuity of a type involved 
in stream-zipping, 

Stream 01 (A) EE Stream a (B) EE Stream a (C). 
However, types like Stream (Afat a ) are not yet covered, but now we will develop concepts 
that allow us to look inside (co)inductive types. 

4.2. Simple semi-continuous types. First we will investigate how disjoint sum, product, 
and function space operate on semi-continuous types. 

Definition 4.2. Let /££—>£'. We say limsup pushes through /, or / is limsup-piis/iafr/e, 
if for all g G -> £, 

limsup f(g{a)) C /(limsup g). 

a->A A 

Analogously, / is lim mi -pullable, or liminf can be pulled out of f, if for all g, 

/(liminf g) C liminf f(g(a)). 
A q— »A 

These notions extend straightforwardly to fs with several arguments. 

Lemma 4.3 (Facts about limits). 

(1) supj e/ liminf a ^A h{a, i) C liminf a _>\ sup ig/ h(a, i). 

(2) limsup Q ^ A infj G j h(a, i) C infj G / limsup a ^ A h(a, i). 

(3) hmsup Q ,_ A inf te/(a ) h(a,i) C infi 6 i im i n f A /limsup Q ,_ A /i(a,i). □ 

Fact ([2]) states that limsup pushes through infimum, setting £ = K — > £' for some set 
K 2 I, f(g') = g'(i), and g(a)(i) = h(a,i) in the above definition. Thus, universal 

quantification is lim sup-pushable, which justifies rule CONT-V in FigureO (see Sect. [6|). The 
dual fact (H|) expresses that lim inf can be pulled out of a supremum. 

Fact © is a generalization of ([2]) which we will need to show semi-continuity properties 
of the function space. 

Proof. In the following proof of ([3]), let all ordinals range below A. First we derive 

h(a,i) C sup Q>Q0 h(a, i) for a > ao 

inf ie /( a ) h(a, i) C inf ien«>« /(«) su P«>"o h ( a > •) for « > «o 
sup a > ao inf ie/(a) /i(a, i) C inf iein f Q > ao 1{a) sup a > a[) fc(a, *)• 

(/(a) is a set, so intersection = infimum.) Secondly, note that 

inf Qo inf ieJ(ao ) g(a ,i) = inf QOiie j( ao) inf Qo g(a , i) = inf iesupQo j(qo) inf ao g(a , i). 



18 



A. ABEL 



With g(atQ,i) := sup a > Q , h(a,i) and J(«o) := inf a > ao 1(a) we finally derive 

lim sup a ^ A inf ie /(ct) h(a, i) = 
inf ao sup a > ao inf i6 j( a ) h(a, i) C inf Qo inf iginfa > Qo /(a) sup a > ao /i(a, i) 

= infi 6 sup Qo inf a > ao /(a) inf ao sup a > ao h(a, i) 
= inf ie i imin f A 7limsup Q ,^ A /i(a,i). 

□ 

Lemma 4.4 (lim inf can be pulled out of the building blocks of saturated sets). 

(1) r-liminf A .4 C liminf Q ^ A (r • A(a)). 

(2) e^ 1 (lim inf A A) C lim inf Q ^ A e" 1 (.4(a)). 

(3) liminf A ^nliminf A £ C ]iminf a ->\(A(a) fl B(a)). 

(4) > (liminf A ^) C lim inf a _ A > (>l(a)). 

Proof. All propositions have easy proofs. Let all introduced ordinals range below A. For 
proposition (3), assume r € liminf A .An liminf A £>, which means that there are ao,/3o such 
that r € A(a) for all a with ao < a an d r £ f° r an /3 with /?o < 0. We have 

to show that there exists 70 such that r £ -4.(7) H -6(7) for all 7 with 70 < 7. Choose 
70 := max(ao,/9o)- Notice that even lim inf A A fl lim inf A B = liminf a ^ A („4(a) f]B(a)), 
since the reverse direction is follows immediately from A(a) fl B(a) C .4(a), £>(a). 

For proposition (4), assume r >r' £ lim inf A ,4. There exists ao such that for all a > ao, 
we have r' € A(a), and thus, r £ > (A(a)). It follows that r € liminf Q ^ A ^(^(a)). □ 

The last lemma can be dualized to lim sup: 

Lemma 4.5 (lim sup pushes through the building blocks of saturated sets). 

(1) limsup Q ^ A (r • A(a)) C r • limsup A -4. 

(2) limsup Q _ >A e~ l (A(a)) C e _1 (limsup A .4). 

(3) lim sup Q _^ A (-4(a) UB(a)) C limsup A A U limsup A B. (only classically!) 

(4) limsup Q ^ A > (A(a)) C > ( limsup A .4) i/-4(a) C V /or a// a < A. 

Proof. The first three propositions follow trivially since the infimum and supremum con- 
sidered are set-theoretic intersection and union. Note that proposition (3) is valid in clas- 
sical logics but not in intuitionistic logics: An r which inhabits infinitely many unions 
A{pt) LIB (a), must classically inhabit infinitely many A(a) or infinitely many B(a). But we 
cannot tell which of these alternatives holds, so the proposition has no intuitionistic proof. 
However, we will not need this proposition for the results to follow. 

For the last proposition, assume r € limsup a ^ A t> (A(a)). If we require all following 
ordinals < A, this means that for arbitrary ao there exist a > ao and r' 6 A(a) such that 
r > r' . Since each r' £ V and safe reduction into V is deterministic, there is in fact a unique 
r' 6 U Q >a -4(a) with r > r' for all a, hence, r £ t> ( lim sup A A). □ 

Proposition (4) of Lemma 14.51 fails if we drop the condition -4(a) C V: Define an infinite 
sequence to,t%,... of terms by ij = out* +1 (fixQ out) and observe that t\ > ti + %. Setting 
A(n) := {ti I i > n} we have to € inf n<w > (A(n)) C limsup n ^ w > (A(n)), but limsup^ A = 
inf^.4 = 0, thus, to > ( lim sup w .4) . It did not help that the A(n) were closed unter 
>-reduction. 

Lemma 4.6. Binary sums \+\ and products fx] and the operations (— ) M and(—) p are lim sup- 
pushable and lim'mi-pullable. 
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Proof. Directly by the last lemmata. For instance, 

(liminf A A) [x] (liminf A 0) = (fst -1 liminf A A) n (snd -1 liminf A B) 

C (lim inf Q ^ A fst _1 .A(a)) n (lim inf /3 ^ A sncT 1 ^/?)) 

C liminf 7 ^ A (fst-M(7) nsnd- 1 ^( 7 )) 

= Iiminf 7 _ >A (^( 7 )[x]B(7)). 

Because we wish to avoid classical reasoning (Lemma 14.51 (3)) as much as possible, pushing 
lim sup through disjoint sums requires a closer look: Assume r £ limsup 7 ^ A (-4(7) \+\ 0(7)), 
hence, for some 7, either r > inlr' for some r' G ^(7), or r > inrr' for some r' G 0(7), or 
r G jV. Since safe reduction r> is deterministic, and Af does not contain values, one of 
these three alternatives must hold whenever r G -4(7) \T\ 0(7) for some 7. So either r G 
> (inl ■ (limsup A -4)), or r € ^(inr • (limsup A B)), or r G Af, which means r G (limsup A A) [+1 
(lim sup A 0). 

Analogously, we show that lim sup pushes through (•)'\ □ 

Using monotonicity of the product constructor, the lemma entails that A(a) [x] 0(a) is 
upper/lower semi-continuous if A(a) and B(a) are. This applies also for [+]• 

Theorem 4.7 (Pushing lim sup through function space). 
limsup Q ,_ >A (-4(a) ED 0(a)) C (liminf A -4) EE3 limsup A 0. 

Proof. We use Lemma l4~3l (131) . 

lim sup a ^ A (-4(a) E30(a)) = limsup^ n se ^ (a) (-s) _1 0(a) 

C n se iiminf A .4 lim su P q -a(- s)- 1 B(a) 
^ n se ii mill f A ^(-s) -1 ( 1 i m sup A B) 
= (lim inf \ A) F^l lim sup A B. 

□ 

Corollary 4.8. If -4(A) C liminf A -4 and limsup A C 0(A) i/ien limsup A (-4(a) 
0(a)) C -4(A) S 0(A). 

4.3. Coinductive types preserve upper semi-continuity. We have already seen that 
Stream a {Afat u ) is upper semi-continuous. In this section, we establish means to show that 
also a type like Stream" (Afat a ) is upper semi-continuous (which is, by the way, isomorphic 
to Afat a F^\Afat a ). 

Definition 4.9. A family J- a G £ — * £' (a G 0) is called lim sup-pushable if for any 
g H G — > £, 

limsup Q ,^ A :F 7 (<5 Q ) C jF 7 (limsup Q ^ A £ a ) for all 7 G 0, 

lim sup a _> A ^(^q.) C J r A (limsup a _ >A ^ Q ) for all limits A > 0. 

The first property is easier to prove, but not entailed by the second property. Usually 
we will confine in showing the second. 

Lemma 4.10. LetT a G £ — > £ -i £ 6e a family which is lim sup-pushable in all arguments.. 
Then for all (5 the family 

Tia G £ — ► £ 
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is lim sup-pushable. 

Proof. By transfinite induction on (3 we prove for all Qi £ — > £j that 

lim sup v 13 (FaiGa)) E ^.F A (limsup<5). 

a^A A 

In case = 0, both sides become the maximum element of £. In the successor case we have 

limsup a ^ A ^ +1 (jF Q (£ Q ,)) = limsupQ,^ J r a{Qa)(^{.^a(Q(x))) 

C jF A (limsup A £/)(limsup Q ^ A (.Fa (£/«)) ) T a pushable 

C F A (limsup A £)(i/^(F A (limsup A {?))) .F a monotone, i.h. 

= ^ +1 (F A (limsup A £)). 

In the remaining case j3 = A we exploit that lim sup pushes through infima (Lemma I4.3l2p . 

□ 

In the remainder of this part we will show that limsup Q , <A u^°^J- a C i/ iminf A < ^^ r A . This 
will enable us to show that types like Stream" (J\fat a ) are lim sup-pushable. 

In the following, we will need additional properties of lim sup. For the value of lim inf A / 
and limsup A /, only the behavior of / on a final segment of [0; A[ is relevant: 

Lemma 4.11 (Limit starting later). Let ordinals range below A. 

(1) infp > ao sup^fl, f(P) = inf 70 > sup 7 > 70 /(7). 

(2) sup^oo inf/3>/3 fifi) = sup 70 > inf 7 > 70 f(j). 

Proof. We show (1), the proof of (2) is analogous. Direction □ follows by monotonicity of 
inf. For C, we have to show that for all 70 there exists a /3q > ao such that 

sup C sup 7(7). 

/3>A) 7>70 

Take flo = max(7o,ao)- D 
Lemma 4.12 (Splitting limits). 

(1) limsupa^ h(0, 0) C limsupo,^ limsupa^ h(a, 0) for h e — > — > £, 

(2) lim inf Q > A lim ia£p^ x h(a,0)Q lim inf^ A h(J3,0) for h G -±* -> £. 

Proof. Again, we show just (1). Because of antitonicity, we have for all a, 

/i(/3, 0) C ft(a, /3) for all /9 > a 

su P/3>/?o h (.P,f3) E sup^^, /i(a, /3) for all /3 > a 

Mp o > a swpp>p o h(0,/3) C inf^^a sup^^ /i(a, 0) 

lirnsup«_> A h(/3, 0) C lim sup (3 ^ A /i(a, /?) by Lemma 14. Ill 

The goal follows by taking lim sup on the r.h.s. □ 
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Next, we show how to push a limsup into >. 
Lemma 4.13. Let (f) G -> and I C 0. Then 

(1) SUp ae/ I/^ Q ) C 

(2) sup a6J v*W □ i/ nf '^ 

(3) inf Qe/ i/^ Q ) □ i/ su p/*, anrf 

(4) inf aer i/^ a ) C ,/™Pj* 

Proof. (H]) and ([3]) follow directly from antitonicity. For ([2]), remember that each set of 
ordinals is left-closed, hence inf/ <j) = 4>(a) for some a £ /. The remaining proposition Q 
is proven by cases on sup^ </>. If supj- is not a limit ordinal then supj- <fi = <j)(ot) for some 
a S /. For this a, clearly C i/ su Pi0 ; which entails the lemma. Otherwise, if supj 4> 

is a limit ordinal, then by definition of v at limits we have to show inf ae / for 
all (3 < sup/ 0. By definition of the supremum, (3 < (ft(a) for some a. Since v is antitone, 
i/4>( a ) c. from which we infer our subgoal by forming the infimum on the left hand side. □ 

Corollary 4.14. lim sup Q ^ A = l pnb&\*. 

Now we have the tools in hand to prove that coinductive types preserve upper semi- 
continuity. In the second part of the following theorem, we make use of the fact that our 
coinductive types close at ordinal uj. 

Theorem 4.15 (Upper semi-continuity of coinductive types). Let T a £ £ — > £ i £ he a 

family which is lim sup-pushable in all arguments and <p € — » 0. Then 
limsup v^ a \F a (g a )) C i/( liminf ^)(^ A (limsu P g)). 

a^X X 

If (J) is affine, then even 

limsup v^ a) {F a (G*)) E v m {Fx (lim sup g)). 

a^rX X 

For our purposes, an affine function on takes the shape 4>(a) = min{6a + /3,T ord } 
for some b G {0, 1} and (3 £ 0. 

Proof. Direct. Note that is antitone, so we can split the limsup. 

limsup Q ^ A i/^ Q )(J r a (^ a )) C limsup Q ^ A limsup 7 _ )A ^ Q )(J r 7 (^ 7 )) LemmaEl 

C limsup Q ^ A (.7^ (lim sup A Q)) Lemma [4. 1UI 

C i/ liminf "-^( a )(Jf A (limsup A a)) Cor.SH 

Now we consider affine (ft. If <f> is constant, then liminf A = (j)(X). Otherwise, 4>(a) > a, 
hence, 0(A) > u, and also liminf A > uj. We only need to show that in our case the greatest 
fixed-point is reached already at iteration uj. Observe that 7i{X) := .F A (limsup A G)(X) is 
lim sup-pushable, since the family J- is. It suffices to show that v^TL E i ,ul+1 'H. 

u^H = lim sup^^ w 3 H = limsup^^ v@ +1 H = limsup^^ TL^H) 
C H(limsup /3 ^i/' 9 7i) = u^H. 

Thus, v u+l H = u^H, which means that v^H = v^H for all (3 > uj; the fixed-point is 
reached. □ 
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For example, since J-'a(X) = {Nat a \x} X) u is lim sup-pushable, we have can infer upper 
semi-continuity of Stream (Mat a ) = v a T a . 

4.4. Inductive types preserve lower semi-continuity. We can dualize the results of 
the last section and prove that inductive types preserve lower semi-continuity and limsup- 
pushability. 

Definition 4.16. A family T a G £ — > £' (a G 0) is called lim inf-pullable if for all 

g H G -» £, 

JF 7 (lim inf Qa) E liminf a _+A -^(^a) for all 7 G 0, 
^(hminf^^A ^a) E hniinf a ^A -^o(^a) for all limits A > 0. 

Lemma 4.17. Lei .F^ G £ ^ £ i £ be a family which is lim inf-pullable in all arguments. 
Then, 

(1) /x /3 (^ r (_) (— )) is a lim inf-pullable family, 

(2) /x( liminf ^) = liminf Q ^ A /i^ Q ). 

Theorem 4.18 (Lower semi-continuity of inductive types). Let T a G £ — > £ i £ &e a 

family which is lim inf-pullable in all arguments and (ft G — > 0. T/ien 

^ limW ^(^ A (liminf £)) C liminf /^ a >(.F Q (<? a )). 

A a— >A 

If (ft is lower semi- continuous, then even 

V m {F\{\iKiinfg)) C liminf ^ {F a {Qa))- 
A a^A 

Putting together the conditions (ft is required to be monotone and continuous in the 
second statement of the theorem. Since (ft is coming from a size expression in our case, 
such a (ft will either be the identity or a constant function. (The successor function is not 
continuous!) 

Using Thm. B~T8l we can establish lower semi-continuity of £ist a (Afat a ) . 

5. Non Semi-Continuous Types 

This section is devoted to show that our list of criteria for semi-continuity is somewhat 
complete. Concretely, we demonstrate that there is no compositional scheme to establish 
lower semi-continuity of function types or upper semi-continuity of inductive types. 

5.1. Function space and lower semi-continuity. One may wonder whether Cor. l4.8l can 
be dualized, i. e., does upper semi-continuity of A and lower semi-continuity of B entail lower 
semi-continuity of C(a) = A{a) EE £>(a)? The answer is no, e. g., consider C(a) = Mat^ ED 
Mat a . Although A{a) = Afat^ is trivially upper semi-continuous, and B(a) = Nat a is lower 
semi-continuous, C is not lower semi-continuous: For instance, the identity function is in 
C(uj) but in no C(a) for a < u>, hence, also not in liminf^ C. And indeed, if this C was lower 
semi-continuous, then our criterion would be unsound, because then by Cor. 14.81 the type 
(Afat 1 ^ 1^1 J\fat a ) I— H Nat u , which admits a looping function (see introduction), would be 
upper semi-continuous. 
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Nevertheless, there are some lower semi-continuous function spaces, for instance, if the 
domain is a finite type. For example, Bool I— H J\fat a is lower semi-continuous in a, which 
implies that (Bool |— >| J\fat a ) Mat a could be admissible. This is the type of a maximum 
function taking its two inputs in form of a function over booleans (Bool EE Mat a = J\fat a fx] 
Nat a ). However, this example is somewhat contrived; it is not clear whether such cases 
appear in practice, so we will not pursue this further here. 

5.2. Inductive types and upper semi-continuity. Pareto [ParOO] proves that inductive 
types are (in our terminology) limsup-pushable. His inductive types denote only finitely 
branching trees, but we also consider infinite branching, arising from function space embed- 
ded in inductive types. Such an infinitely branching type is the type of hungry functions 
(which consumes one argument after the other): 

Hungry : ord — > * —> * 
Hungry := XiXA. //AX A -» X. 

We are interested in the special case of Hungry*(Nat l ). In the following we show that accept- 
ing such a type as the result of recursion will lead to accepting a non-terminating program. 
As a consequence, infinitely branching inductive data types, such as //AX. Nat* — > X, do not 
inherit upper semi-continuity from their defining body, here, Nat* — > X (recall that Nat* is 
lower semi-continuous, hence Nat* — > X is upper semi-continuous). But remember that in- 
ductive types can still be upper semi-continuous, e.g., Hungry J (Nat°°) = //AX. Nat°° — > X, 
which is covariant in its size index. 

Semantically, we set 7i a = where T a (X) = (Mat a EE Af) M . Since 

limsup a ^ x J r a (g(a)) C ((liminf Q ^ A Mat 01 ) EE (limsup A G)Y 

= J"A(hmsup A ^), 

the family J- a is limsup pushable. If we had a result like 

limsup// (a) .F Q C /x limsup ^ limsup^, 

q — >A A 

then TL would be upper semi-continuous, and it would be legal to write the following recur- 
sive function: 

h : V*. Nat* -> Hungry*(Nat*) 
h := fix(^A/iA_. in (so ho pred) 

h (in _) — > + in (s o h o pred) 
We will show that the existence of h destroys normalization. In the body of h we refer to 
an auxiliary function s. As well as its inverse, p, it can be defined by induction on v. 

s : \fzij. Hungry*(Naf) -> Hungry*(Nat J+1 ) 
s := fixgAsA/i. in (s o (out/i) o pred) 

s (in /) — > + in (s o f o pred) 

p : V«Vj.Hungry*(Nat J+1 ) -> Hungry*(Nat J ) 
p := fixg Xp\h. in (p o (out h) o succ) 

p (in /) — >+ in (p o / o succ) 

(Note that these definitions are perfectly acceptable and not to blame.) Another innocent 
function is the following. Its type looks funny, since it produces something in the empty 
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type, but let us mind that Hungry, being an inductive type "with nothing to start induction," 
is also empty. 

tr : Vi. Hungry J (Nat°°) -> MA.A 

tr := fixpAtrA/i. tr ((po(out/t) o succ) zero) 

tr (in /) — > + tr ((p o / o succ) zero) 

Some calculation now shows that tr(hzero), the application of tr to the "bad guy" h, di- 
verges: 

tr(hzero) — > + tr (in (s o h o pred)) 

— > + tr ((p o s o h o pred o succ) zero) — > + 

tr(p(s(hzero))) — > + tr (p (s (in (s o h o pred))))) 

— > + tr (p (in (s 2 o h o pred 2 ))) 

— > + tr (in (p o s 2 o h o pred 2 o succ)) 

— > + tr ((p 2 o s 2 o h o pred 2 o succ 2 ) zero) — > + 

tr(p 2 (s 2 (hzero))) — »+ ... 



6. A Kinding System for Semi-Continuity 

We turn the results of Section 0] into a calculus and define a judgement A; II P 9 F : k, 
where % is an ordinal variable with [i : pord) £ A for some p, the bit q € {©,©} states 
whether the constructor F under consideration is lower (0) or upper (©) semi-continuous, 
and II is a context of strictly positive constructor variables X : +«'. We will prove (Thm. lfT2j) 
that the family F(i) is lim sup-pushable in all X G II if q = © and lim inf-pullable if q = Q. 

The complete listing of rules can be found in Figure EJ in the following, we discuss a 

few. 

A,z:+ord h F : k r?e{+,oj 

CONT-CO , — , s - — 

A,z:pord;n h l ® F : k 

If i appears only positively in F, then F is trivially upper semi-continuous. However, 
monotonicity does not imply lim sup-pushability, so no variables from II may occur in F. In 
the conclusion we may choose to set p = o, meaning that we forget that F is monotone in 
i. Rule CONT-CONTRA is analogous and rule CONT-in states that a constant F is (trivially) 
continuous. 

X:pKGA,II p< + 

CONT-VAR — — ■ 

A; II h ic > X : k 

Rule CONT-var can be used also for X = i. It states that the identity is continuous and 
both lim sup-pushable and lim inf-pullable. 

Using the four rules discussed so far, we can derive semi-continuity properties of ordinal 
expressions. Expressions like oo and s n j (with j ^ i) which are constant in i are trivially 
continuous; so is the identity i. Expressions of the form s n i with n > 1 are only upper 
semi-continuous (rule CONT-co), but not lower semi-continuous. 

Now we discuss some rules to construct semi-continuous types and type constructors. 

-A;o P e A : * A; II P® B : * 



CONT-ARR 



A; n P® A -► B : * 
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Strictly positive contexts. 

II ::= o\I1,X:+k* 
Semi-continuity A; II P 9 F : k for q G {0, 0}. 

A, i : +ord \- F : k p < + A, i: — ord \- F : k p < 

CONT-CO : , — , - CONT-CONTRA 



A,i:pord; IT P® F : « A, z:pord; II P e F : k 

A h F : k X:pK G A, II p < + 
CONT-IN CONT-VAR 

A, i:pord; H \~ n F : n A;nh'«I:K 
A,X: P k;U P<? F:k' 

CONT-ABS X ^ I 

A; II P<? XX-.k.F : pk -> k 1 

A,i:n'ord;n P« F : bk -> «/ p -1 A hG:/t 

CONT-APP 

A,z:p'ord;n P« F G : k' 

A;n P« A : * A ; n P« 5 : * 



CONT-SUM 



CONT-PROD 



A; n P9 A + 5 : * 

A;II \- iq A: * A ; n P g B : * 
A; II h'« i x B : * 



—A: o h e A : * A;nh*®fi:* A; n P® F : ok -» * 
CONT-ARR 7 — , - CONT-V . — _ t , ^ 

A; n P® A -> S : * A; n P® V K F : * 

A;II,X:+k* P®F:k* A h a : ord , _„ . 

CONT-mu — ■ — — — a = i or % & FV(a) 

A ; n P® fi a (XX:^.F) '. ^ \ J 

A;U,X: +k* P® F : Aha ord 
CONT-NU 

A ; n P® u*(\X:k*.F) :k* 

Pure ordinal expressions Aha ord. 

(z:pord) £ A p < + Aha ord 

ORD-OO -— ORD-VAR — ORD-S 



A h oo ord A hi ord A h s a ord 



Figure 3: FJ: Semi-continuous constructors and recursion types. 

This rule incarnates Thm. 14.71 Note that, because A is to the left of the arrow, the polarity 
of all ordinary variables in A is reversed, and A may not contain strictly positive variables. 

A:U,X: +k* P® F : «* Aha ord 

CONT-NU 

A;n P® u*{\X:k*.F) 

Rule CONT-nu states that strictly positive coinductive types are upper semi-continuous. 
The ordinal a must be oo or s n j for some j:ord € A (which may also be identical to i). 
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Lemma 6.1. Assume Aha ord and let 9 G [A], i an ordinal variable, and 

(j) ■= ( a i-» [a]e[*-a]) G I ord l -» I ord l- 

T/ien is affine. 

Proof. By induction on A ha ord. □ 

Theorem 6.2 (Soundness of Continuity Derivations). Assume A;X:+k P 9 F : k. Let 9 
a valuation of the variables in A and set J- a {Q) = I-^lflf^air^-jcfi- 

(1) If q = Q then the family T is lim mi -pullable. 

(2) If q = © then the family T is limsup-pushable. 

Proof. By induction on the continuity derivation. Some cases: 

A;X:k,X: +k# P® F : A haori 

CONT-NU - 

A;X:k P® z/^AXi/^.F) : 

Let F a (G)(H) = H 8H [fc5][ XHH] and 0(a) = [a] 9[ ^ a] . By LemmaEU is affine, and 
by induction hypothesis, T is limsup-pushable. Thus, we can apply Thm. I4TT51 to infer the 
goal. 

A;U,X:+k^ P® F : A h a : ord . _,, . 

CONT-mu ~ — — — — a = z or i 4 FV(a) 

A; IT P® fi a (XX :k*.F) : k* * v; 

0(a) := [ajfl^a] is either constant or the identity, hence, it is monotone and continuous. 
The goal follows from Thm. 14.181 □ 

Now we are able to formulate the syntactical admissibility criterion for types of (^re- 
cursive functions. 

Definition 6.3 (Syntactic admissibility). 

T h A fix^-adm iff T, i : oord \- At = \fX : k.B\ — > > B n -» fi l FH -> C : * 

and r,z:oord;o P® \/X:K.B x ._ n -» fSFH -> C : * 

T h A fix^-adm iff r, i : oord \- At = MX : k.B x — > > B n ^u l FH :* 

and r,a:oord;o P® \/X:K.B x __ n : * 

It is easy to check that admissible types fulfill the semantic criteria given at the end of 
Section O We prove Assumption 13.51 restated as the following theorem. 

Theorem 6.4 (Soundness of admissibility). If V h A fix^-adm and 9{X) G [k] /or all 
(X:k) G [r] i/ien ,4 := [Afe G [ord] — ► [*] aas t/ie following properties: 

(1) Shape: A{a) = Cl^eK ^i(&> a ) E3 • • • 13 £>«(&> a) EE3 £>(&> a) /or some K and some 
B\, . . . , B n , B <E K x [ord] -> [*]. 7n case V = /x, B(fc,a) = X(fc, a)** EE3 C(fc, a) for 
some 1,C. Otherwise, B(k, a) = C(k, ctf for some C. 

(2) Bottom-check: l(k,0) )1 = _L* in case V = \i and C(k,0) u = T* in case V = v. 

(3) Limit-check: inf a< \ A(a) C -4(A) /or a// Zimii ordinals A G [ord] \ {0}. 

Froo/. Set if := [k x ] x . . . [« m ] with m := |k| and Bi(k,a) := {Bij g ^^ k ^ a] for * = l-^- 
Further, let ^(fc)(a) := P^rj^^] and := [Hi] 0[ ^ fe][lMa] - 
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In case V = fx, first let C(k, a) = lC} g ^x^k][i^a]' Define pK ^*(C/) = and observe that 

for any / € [k] i [k], /x a /^ = (/T(i_ K ) = ((/ o (-)^) Q (0 K ))^. (Induction on a, using 
0^ = _L and sup-continuity of (— ) M .) Thus, we can set 

I(* 1 Q) = (((5(fc)(a)o(-n«(0))(^ 

and have X(k,a) fl = ^grg i ^j t ][ p _+ a y Properties ([I]) and ([2]) are hence satisfied. By 
Thm. r5T2l the type A is upper semi-continuous which implies ([3]). 

For case V = v, define (out • ~P^*)(Cf) = out • T*. Then (out • T) u = T. Observe that 
v aju = {f v ) a (T) = ((/ o (-)^) a (out • T))" and set 

C(fc,a) = (((^(fc)(a)o(-n«(out.T))(W). 
Then C(k,a) u = \v l F Hj^tji^] r lM . a i- Using Thm. HP! all three properties hold. □ 

Example 6.5 (Inductive type inside coinductive type). Rule CONT-NU allows the type 
system to accept the following definition, which assigns an informative type to the stream 
nats of all natural numbers in ascending order: 

nats : W Stream 1 Nat 1 

nats := ftx^Xnats. (zero, mapStream succ nats) 

mapStream : MAiB. (A—>B)^ Vi. StreamM -> StreanVB 
mapStream := A/. fix^XmapsXs. in(/ (fst (outs)), maps (snd (outs))) 

The type of nats expresses that if you read the first n elements of the stream, these are 
numbers < n. In particular, the ith element of nats is at most i — 1. This is the most 
information a type of nats can carry in our type system. 

Example 6.6 (Inductive type inside inductive type). In the following, we describe breadth- 
first traversal of rose (finitely branching) trees whose termination is recognized by FJ*. 

Rose : ord i * — > * 

Rose := XiXA. GRose 4 List 00 A = XiXA. fiXX. A x List°°X 

The step function, defined by induction on j, traverses a list of rose trees of height < i + 1 
and produces a list of the roots and a list of the branches (height < i). 

step : VjVAV*. List J (Rose 4+1 A) -» List- 7 A x List°°(Rose J A) 

step := fixg XstepXl. match I with 
nil i— ► (nil, nil) 

cons (a, rs') rs i— > match step rs with 

(as, rs") i— > (cons a as, append rs' rs") 

Now, bf iterates step on a non-empty forest, which is represented by a single rose tree r 
and a possibly empty list of rose trees rs. It is defined by induction on i, the strict upper 
bound of the tree heights. 

bf : ViVA Rose 1 A -> List°°(Rose l A) -» List 00 A 

bf := fix^ XbfXrXrs. match step (cons r rs) with 
(as, nil) i— > as 

(as, cons r' rs') i— > append as (6/ r' rs') 

Function bf terminates because the recursive-call trees in forest cons r' rs' are smaller than 
the input trees in forest consr rs. This information is available to the type system through 
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the type of step. The type of bf is admissible for recursion since List 00 (Rose 1 A) is lower 
semi-continuous in i — thanks to Thm. 14.181 and rule CONT-MU. 

It is clear that admissibility is no way complete. One can find trivial examples of ter- 
minating programs which are refused by the type system because they fail the admissibility 
check. For instance, take the recursive identity function of type W Nat* — > Nat* and add an 
unused argument of type Nat°° — > Nat 1 : 

loopnot : Vt. Nat 1 -> (Nat 00 -> Nat 1 ) -» Nat 4 

loopnot g = 

loopnot (n + 1) g = 1 + loopnot n (shift g) 

Its type is not upper semi-continuous, but of course loopnot is terminating. 



7. Conclusions 

We have motivated the importance of semi-continuity for the soundness of type-based 
termination checking, explored the realm of semi-continuous functions from ordinals to se- 
mantic types, and developed a calculus for semi-continuous types. We have seen a few 
interesting examples involving semi-continuous types, many more can be found in the au- 
thor's thesis |Abe06bl Ch. 6] . These examples cannot be handled by type-based termination 
a la Barthe et al. |BFG+04l IBGP051 IBGP06] . but our developments could be directly in- 



corporated into their calculus. 

In previous work [Abe03], I have already presented a calculus for admissible recur- 
sion types. But the language had neither polymorphism, higher-kinded types, nor semi- 
continuous types inside each other (Stream 4 Nat 4 ). Hughes, Pareto, and Sabry [HPS96] have 
also given criteria for admissible types similar to ours, but more ad-hoc ones, not based on 
the mathematical concept of semi-continuity. Also, a crucial difference is that we also treat 
infinitely branching data structures. To be fair, I should say that their work has been a 
major source of inspiration for me. 

As a further direction of research, I propose to develop a kinding system where semi- 
continuity is first class, i.e., one can abstract over semi-continuous constructors, and kind 
arrows can carry the corresponding polarities or ©. First attempts suggest that such a 
calculus is not straightforward, and a more fine-grained polarity system will be necessary. 
Important is also the study of semi-continuity properties of dependent types, in order to 
apply these results to type-based termination in type-theoretic proof assistants. 
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Appendix A. Complete Specification of F^ 
The following figures display all constructs and rules of FJ". 
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Syntactic categories. 



P 

AC 
AC* 



a,b,A,B,F,G 

C 

A 



= + I - I ° 

= * | ord | pn — > ac' 

= * | PK* — > AC* 

= C | X | XX : k. F | F G 

= 1 I + I x I ^ I V K | /x K J f« 

= o | A,X:pn 



s oo 



polarity 
kind 

pure kind 
(type) constructor 
constructor constant 
polarized context 



The signature £ assigns kinds to constants (ac ac' means pac — > ac'). 



1 


* 




unit type 


+ 






disjoint sum 


X 


+ + 

* — > * — > * 




cartesian product 




* — > * i * 




function space 


v K 


(AC — > *) — > * 




quantification 




ord i (ac* i 




inductive constructors 




ord ^ (ac* 


\ + 

AC* J ^ AC;); 


coinductive constructors 


s 


ord i ord 




successor of ordinal 


oo 


ord 




infinity ordinal 




V for 


fi or v 


V a for Va 



Notation. 

VX:ac.^ for \/ k (XX:k.A) VXA for VX:ac.^ XX F for XX:k.F 

A + B for + AB Ax5 for xiB A^ B ioi ^AB 
Ordering and composition of polarities. 

p < p o < p +p = p = + op = o pp' = p'p 

Inverse application of a polarity to a context. 



p 1 o = o 

+~ 1 A = A 

--^X-.pn) = (-- 1 A),X:(- P )k 

Kinding A h F : ac. 

C:ac G E 



o-^A^ioac) = (o- 1 A),X:oac 



-HA^i-ac) 



A 
L A 



KIND-ABS 



KIND-C 

A h C : ac 

A,X: P k h F : ac' 
A h AX : ac. F : pn -> ac' 



KIND-VAR 



X:pK e A p < + 



KIND-APP 



A 



A h X : ac 
- F : pn 



AC 



p- x A h G : ac 



A \- F G : k' 



Figure 4: FJ: Kinds and constructors. 
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Constructor equality A h F = F' : k. 

EQ-oo 



A h s oo = oo : ord 



A, X :pn \- F : k 1 p 4 AhG:K A h F : pn -> «' 

EQ-/3 ' —7—: 7777^777; — EQ-7J 



A h (AX:k.F)G = [G/X]F : /c' "'Ah (AX:/c. FX) = F : p/c -» k' 

I:pK£A p<+ , A,X:pK h F = F' : «' 

EQ-VAR ■ — — EQ-A 



AhX = X:K A h AX :k.F = XX :k.F' : pn —> k' 

C:k£S A h F = F' : pn — > «' b^A h G = (? : k 

EQ-C — — EQ-APP 



A h G = G : k A \- F G = F' G' : k! 

A h F = F' : k A h F 1= F 2 : k A h F 2 = F 3 : k 

EQ-SYM — ■ — — EQ-TRANS — — 

Ah F' = F : k A h Fi = F3 : k 

Constructor subtyping A h F < F' : n. 

A h a : ord A h a : ord 

LEQ-S-R — 7 LEQ-CX) 



LEQ-A 



A h a < s a : ord " A h a < 00 : ord 

A, X :pn h F < F' : k' 



LEQ-APP 



LEQ-APP+ 



A h AX : k. F < XX : k. F' : pn -> «' 

A \- F < F' : pn ^ k' p-'AHGin 
A \- F G < F' G : k' 

A h F : +k — > k' A h G < G' : k 



LEQ-APP - 



A h FG < FG' : «' 
A h F : -« -> k' -" x A h G' < G : k 



A h FG < FG' : «■ 



A h F = F : k A h Fl < F2 : k Ah F 2 < F 3 : k 

LEQ-REFL — ■ — — LEQ-TRANS — — 

A h F < F' : k A h Fi < F 3 : k 

A \- F < F' : k Ah F' <F : k 

LEQ-ANTISYM 



A h F = F> : k 



Figure 5: FJ: Constructor equality and subtyping. 
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Syntactic categories. 



r,s,t : 


:= c | x | Xxt r s 




term 


c : 


:= (} pair fst snd inl 


inr case in out fix^ fix^ 


constant (n G N) 


v : 


:= Xxt () pair ii ti | inlt 


| inr i \\nt c pair t fix^sii.. m 


value (m < n) 


e(_) : 


:= _ s | fst _ | snd _ case_ 


out _ fix^ s t\,_ n _ 


evaluation frame 


E(-) : 


:= ei(. ..e n (_)...) 




eval. cxt.(n > 0) 


r : 


:= o Y,x:A T,X:pn 




typing context 



Notation: 
Reduction t 



t'. 



(r,s) for pair rs 
[s/x]t 



ti._ n for tit 2 ... t % 



(Xxt) s — ► [s/x\t out (inr) 

fst (r,s) — ► r fix^sti.. ra (int) 

snd (r, s) — > s out (fix^ s t\„ n ) 

case (inl r) — > XxXy.xr 

case (inr r) — > XxXy.yr [s/x]t 

The signature E contains types for some constants: 

pair : VAVB. B -> Ax B () 

fst : MA\/B. Ax B -> A inl 

snd : MAMB. Ax B -> B inr 



s(fix^s)t L . n (int) 
out (s (fix£ s) ti„ n ) 

[s' /x]t if s — > s 



VAVB. A 
\JA\/B. B 



A + B 
A + B 



case : MAMBMC. A + B -> (A -» C) -> (B -> C) -> C 
in : VF:k±> K.\/G 1 :Kl...\/G n :K™.Vt:ord.F(V t K F)G ^ V l K +1 FG 
out : VF:KiK.VG 1 :K];...VG n :<.Vz:ord.V* +1 FG^F(V*F)G 
(V G k 
Well-formed typing contexts. 



At* — ► * ) 



CXT-EMPTY 

O CXt 

Typing T \- t : A. 

(c:A) g S 

T hr:4- 



CXT-TYVAR 



r cxt 



TY-C 



TY-APP 



TY-VAR 
+ 5 



T,X:ok cxt 

(ri)er r cxt 

T \- x : A 
r h s : A 



CXT-VAR 



r cxt 



r hi:* 



T hrs : B 
T,X:ok h t : FX 



TY-SUB 



TY-ABS 

r hi: A 



T,x:A cxt 
T,x:A h t : B 



r h Axt : A -> B 
r hA<B:* 



TY-GEN 



TY-INST 



rht:V K F T hG:K 



r h t : V K F r \- t : FG 

T \- A fix^-adm T h a : ord 
T hfix^ : (Vz:ord.Ai->^(z + l)) ^ Aa 



TY-REC 



Figure 6: FJ: Terms, reduction and typing. 
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